1 Team Password Management
2 ========================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7 == {doctitle}
8
9 A while back I started looking for alternate means to manage my passwords,
10 specifically because I started playing more with pgp encryption. I thought it'd
11 be neat to be able to use pgp to encrypt a password database and/or use git to
12 version the passwords. It turns out that someone had the idea before I did: the
13 developers of password-store.
14
15 Password-store, or pass, is a [very impressive] command line bash script that
16 uses git to version passwords, and pgp keys to encrypt/decrypt each password.
17 Specifically to this post though, it implements support for something that
18 pgp/gpg supports: the --encrypt-to switch.
19
20
21 == gpg --encrypt-to
22
23 The --encrypt-to switch for the gpg command allows for encryption of the given
24 stream to multiple recipients. For the purposes of password management, it
25 allows for each user of the password database to add their pgp key to the
26 _.gpg-id_ file. The effect is that each subsequent save of the given password
27 re-encrypts it using every pgp key listed in the .gpg-id file.
28
29 Effectively, each user of the password repo can have their own password (the
30 password to their pgp privat key), whilst not knowing the passwords other
31 members are using. This means that if for example, an employee leaves the
32 company, the remaining repo members can just remove that person's key from the
33 \.gpg-id file, and all further changes (regenerations) of the passwords will
34 not be encrypted with the departed employee's key, thus revoking their access.
35
36
37 == Setup
38
39 Setup for this is fairly simple, if you're accustomed to using git and gpg/pgp.
40 The commands for pass are very intuitive.
41
42 To create a pass database (assuming you already have it installed), execute...
43
44 ----
45 pass init user@gpg-id-to-be-used.com
46 ----
47
48 To add other user's pgp keys, just add their ids to the .gpg-id file located at
49 \~/.password-store/.gpg-id. Each password created after that will be encrypted
50 to each user listed in that file.
51
52 Note: Remember that each key that you're adding to the .gpg-id file must at
53 least have marginal trust in gpg.
54
55
56 == Questions
57
58 === What about arbitrary users adding themselves to .gpg-id?
59
60 The nice thing about gpg is that it will not allow usage of the --encrypt-to
61 switch (amongst other switches) without a measure of trust given the key in
62 question. This means that if any user does add their key to the .gpg-id file,
63 every subsequent password change will yield an error, indicating that the
64 password file cannot be encrypted to the given untrusted key.
65
66 Another perk to pass is that it versions all changes to the password "database"
67 in git, so the user who added their key to the .gpg-id file will have left a
68 log entry (assuming they didn't rewrite history to conceal their subterfuge),
69 and thus they can be dealt with appropriately.
70
71
72 === What if I want to run more than one database?
73
74 Add the following to your .bashrc file.
75
76 ----
77 #
78 # Function to override calls to pass binary. Allows for multiple password-store
79 # backends. Based on the first argument given to "pass", selects a different
80 # password store backend.
81 #
82 # Example Usage:
83 # # Will edit default password-store foo
84 # pass edit foo
85 #
86 # # Will edit alternate, team, password-store foo
87 # pass team edit foo
88 #
89 function pass {
90 alt='team'
91 if [[ ${1} == ${alt} ]]; then
92 export PASSWORD_STORE_DIR=~/.password-store.${alt}
93 # Shift off the first argument
94 shift
95 else
96 export PASSWORD_STORE_DIR=~/.password-store
97 fi
98
99 # Call the actual binary
100 /usr/bin/pass ${@}
101 }
102 ----
103
104 That will override calls to the pass binary (usually /usr/bin/pass),
105 intercepting the first argument. If the first argument is team, it will look in
106 \~/.password-store.team for passwords. If the first argument is not team, then
107 it looks in the default location, ~/.password-store.
108
109
110 Category:Security
111 Category:Encryption
112 // vim: set syntax=asciidoc:
|
